Centralized Authentication with Kerberos 5, Part I

This tells you if you need to use special configure options for your
site. /usr/local/ is the default installation directory. If you need
this software in another directory, use a --prefix=/new/path/to/directory
flag in the next step.

5) In almost all cases, the default should be fine:

% ./configure

6) Compile the package with:

% make

I had a problem with one file in the krb5-1.3.4/src/kadmin/testing/util
directory, which can be safely ignored. Restart the compilation with
%
make -i in this case.

7) Check whether everything compiled correctly with:

% make check

8) If everything looks okay, install the package with:

% sudo make install

Never compile code as root. Use root privileges only when necessary, as
in these installation steps.

9) You now have MIT Krb5 installed in /usr/local/. Some additional
directories need to be created by hand and their permissions set:

If you really need or want to compile your own PAM module, here are
the steps to get a working version of the module shipped by Red Hat.
Get the source (see Resources)
and upack it with:

% tar zxf pam_krb5-1.3-rc7.tar.gz
% cd pam_krb5-1.3-rc7

Your $PATH environment variable has to have the Kerberos distribution
of your choice first, in case you have more than one distribution on
your computer. For example:

% PATH=/usr/local/bin:$PATH

if you have installed your own version in /usr/local. Then execute:

% ./configure

Then compile and install the package with:

% make
% sudo make install

Creating Your Realm

A Kerberos realm is an administrative domain that
has its own Kerberos database. Each Kerberos realm
has its own set of Kerberos servers. The name of
your realm can be anything, but it should reflect your
place in the DNS world. If the new Kerberos realm is
for your entire DNS domain example.com, you should
give the same name (with all capital letters, this
is a Kerberos convention) to your Kerberos realm:
EXAMPLE.COM. Or, if your are setting up a new
realm for your engineering department in example.com,
a realm name of ENG.EXAMPLE.COM could be chosen.

The first step for creating your own realm is to
create a /etc/krb5.conf file that contains all
the necessary information about this realm. The
krb5.conf file needs to be on every computer that
wants access to your new Kerberos realm. Here is an
example file for the realm EXAMPLE.COM with the
KDC and administration servers running on machine
kdc.example.com:

The next file, /usr/local/var/krb5kdc/kdc.conf, configures the KDC server.
It needs to be on only the computer running the KDC dæmon.
Every entry has a reasonable default. Creating an empty file should be
sufficient for most cases:

% sudo touch /usr/local/var/krb5kdc/kdc.conf

The following commands need to be executed on the computer that will become
your KDC.
The command:

/etc/hosts MUST contain a line associating the KDC server not with a loopback address (WRONG: "127.0.0.1 kdc.example.com") but with a real IP address available over the network (RIGHT: "128.231.35.98 kdc.example.com"). Ports 88 and 749 must be unfirewalled.

(Since I'm currently out of town and can't fiddle with my router, I'm temporarily assigning KDC to the local address assigned by the router (192.168.2.3), although of course this means I can't access Kerberos over the Internet).

The second requirement is harder to meet. All account names, UIDs and GIDs have to be the same on all your
computers. This is necessary because each of these accounts becomes a new and independent Kerberos account,
called a principal. You have to go through all your local /etc/passwd files and check whether this requirement is
met. If not, you need to consolidate your accounts. If you want to add Windows or Mac OS X clients to your
Kerberos installation, you need to look at all the accounts on those machines as well.

I assume this only applies to user accounts (ie uid > 1k), it would be an utter pain to have to synchronise system accounts across multiple machines.

Running "kdb5_util create -s" gave me the error "Improper format of Kerberos configuration file while initializing Kerberos code" with the example krb5.conf in the article.
Removing all leading whitespace from krb5.conf did the trick.
Thank you btw

I've been following the directions in this article and the the subsequent articles about centralized authentication and I was delighted to get my kerberos implementation working. But upon further investigation, I realized that although login and sudo works, applications that use gksudo, such as synaptic don't is there a solution for this. I found a few others with this promlem on the internet, but I couldn't find any solutions. Many thanks for your help on this issue, and all of your very informative articles.

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.